Blob Blame History Raw

##############################
#
# core macros for the type enforcement (TE) configuration.
#

#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil>, Timothy Fraser  
#           Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
#           Russell Coker <russell@coker.com.au>
#

#################################
# 
# Macros for groups of classes and 
# groups of permissions.
#

#
# All directory and file classes
#
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')

#
# All non-directory file classes.
#
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')

#
# Non-device file classes.
#
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')

#
# Device file classes.
#
define(`devfile_class_set', `{ chr_file blk_file }')

#
# All socket classes.
#
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')


#
# Datagram socket classes.
# 
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')

#
# Stream socket classes.
#
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')

#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')


# 
# Permissions for getting file attributes.
#
define(`stat_file_perms', `{ getattr }')

# 
# Permissions for executing files.
#
define(`x_file_perms', `{ getattr execute }')

# 
# Permissions for reading files and their attributes.
#
define(`r_file_perms', `{ read getattr lock ioctl }')

# 
# Permissions for reading and executing files.
#
define(`rx_file_perms', `{ read getattr lock execute ioctl }')

# 
# Permissions for reading and writing files and their attributes.
#
define(`rw_file_perms', `{ ioctl read getattr lock write append }')

# 
# Permissions for reading and appending to files.
#
define(`ra_file_perms', `{ ioctl read getattr lock append }')

#
# Permissions for linking, unlinking and renaming files.
# 
define(`link_file_perms', `{ getattr link unlink rename }')

#
# Permissions for creating lnk_files.
#
define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')

#
# Permissions for creating and using files.
# 
define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')

# 
# Permissions for reading directories and their attributes.
#
define(`r_dir_perms', `{ read getattr lock search ioctl }')

# 
# Permissions for reading and writing directories and their attributes.
#
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')

# 
# Permissions for reading and adding names to directories.
#
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')


#
# Permissions for creating and using directories.
# 
define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')

#
# Permissions to mount and unmount file systems.
#
define(`mount_fs_perms', `{ mount remount unmount getattr }')

#
# Permissions for using sockets.
# 
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')

#
# Permissions for creating and using sockets.
# 
define(`create_socket_perms', `{ create rw_socket_perms }')

#
# Permissions for using stream sockets.
# 
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')

#
# Permissions for creating and using stream sockets.
# 
define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')

#
# Permissions for creating and using sockets.
# 
define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')

#
# Permissions for creating and using sockets.
# 
define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')


#
# Permissions for creating and using netlink sockets.
# 
define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')

#
# Permissions for using netlink sockets for operations that modify state.
# 
define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')

#
# Permissions for using netlink sockets for operations that observe state.
# 
define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')

#
# Permissions for sending all signals.
#
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')

#
# Permissions for sending and receiving network packets.
#
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')

#
# Permissions for using System V IPC
#
define(`r_sem_perms', `{ associate getattr read unix_read }')
define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
define(`r_msgq_perms', `{ associate getattr read unix_read }')
define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
define(`r_shm_perms', `{ associate getattr read unix_read }')
define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')

#################################
# 
# Macros for type transition rules and
# access vector rules.
#

#
# Simple combinations for reading and writing both
# directories and files.
# 
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:file r_file_perms;
allow $1 $2:lnk_file { getattr read };
')

define(`rw_dir_file', `
allow $1 $2:dir rw_dir_perms;
allow $1 $2:file rw_file_perms;
allow $1 $2:lnk_file { getattr read };
')

define(`ra_dir_file', `
allow $1 $2:dir ra_dir_perms;
allow $1 $2:file ra_file_perms;
allow $1 $2:lnk_file { getattr read };
')

define(`ra_dir_create_file', `
allow $1 $2:dir ra_dir_perms;
allow $1 $2:file { create ra_file_perms };
allow $1 $2:lnk_file { create read getattr };
')

define(`rw_dir_create_file', `
allow $1 $2:dir rw_dir_perms;
allow $1 $2:file create_file_perms;
allow $1 $2:lnk_file create_lnk_perms;
')

define(`create_dir_file', `
allow $1 $2:dir create_dir_perms;
allow $1 $2:file create_file_perms;
allow $1 $2:lnk_file create_lnk_perms;
')

define(`create_dir_notdevfile', `
allow $1 $2:dir create_dir_perms;
allow $1 $2:{ file sock_file fifo_file } create_file_perms;
allow $1 $2:lnk_file create_lnk_perms;
')

define(`create_append_log_file', `
allow $1 $2:dir { read getattr search add_name write };
allow $1 $2:file { create ioctl getattr setattr append link };
')

##################################
#
# can_ps(domain1, domain2)
#
# Authorize domain1 to see /proc entries for domain2 (see it in ps output)
#
define(`can_ps',`
allow $1 $2:dir { search getattr read };
allow $1 $2:{ file lnk_file } { read getattr };
allow $1 $2:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6).  Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $1 $2:process ptrace;
')

##################################
#
# can_getsecurity(domain)
#
# Authorize a domain to get security policy decisions.
#
define(`can_getsecurity',`
# Get the selinuxfs mount point via /proc/self/mounts.
allow $1 proc_t:dir search;
allow $1 proc_t:{ file lnk_file } { getattr read };
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user };
')

##################################
#
# can_setenforce(domain)
#
# Authorize a domain to set the enforcing flag.
# Due to its sensitivity, always audit this permission.
#
define(`can_setenforce',`
# Get the selinuxfs mount point via /proc/self/mounts.
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file read;
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security setenforce;
auditallow $1 security_t:security setenforce;
')

##################################
#
# can_setbool(domain)
#
# Authorize a domain to set a policy boolean.
# Due to its sensitivity, always audit this permission.
#
define(`can_setbool',`
# Get the selinuxfs mount point via /proc/self/mounts.
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file read;
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security setbool;
auditallow $1 security_t:security setbool;
')

##################################
#
# can_setsecparam(domain)
#
# Authorize a domain to set security parameters.
# Due to its sensitivity, always audit this permission.
#
define(`can_setsecparam',`
# Get the selinuxfs mount point via /proc/self/mounts.
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file read;
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security setsecparam;
auditallow $1 security_t:security setsecparam;
')

##################################
#
# can_loadpol(domain)
#
# Authorize a domain to load a policy configuration.
# Due to its sensitivity, always audit this permission.
#
define(`can_loadpol',`
# Get the selinuxfs mount point via /proc/self/mounts.
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file read;
allow $1 proc_t:file { getattr read };
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
allow $1 security_t:security load_policy;
auditallow $1 security_t:security load_policy;
')

#################################
#
# domain_trans(parent_domain, program_type, child_domain)
#
# Permissions for transitioning to a new domain.
#

define(`domain_trans',`

#
# Allow the process to transition to the new domain.
#
allow $1 $3:process transition;

#
# Do not audit when glibc secure mode is enabled upon the transition.
#
dontaudit $1 $3:process noatsecure;

#
# Do not audit when signal-related state is cleared upon the transition.
#
dontaudit $1 $3:process siginh;

#
# Do not audit when resource limits are reset upon the transition.
#
dontaudit $1 $3:process rlimitinh;

#
# Allow the process to execute the program.
# 
allow $1 $2:file { read x_file_perms };

#
# Allow the process to reap the new domain.
#
allow $3 $1:process sigchld;

#
# Allow the new domain to inherit and use file 
# descriptions from the creating process and vice versa.
#
allow $3 $1:fd use;
allow $1 $3:fd use;

#
# Allow the new domain to write back to the old domain via a pipe.
#
allow $3 $1:fifo_file rw_file_perms;

#
# Allow the new domain to read and execute the program.
#
allow $3 $2:file rx_file_perms;

#
# Allow the new domain to be entered via the program.
#
allow $3 $2:file entrypoint;
')

#################################
#
# domain_auto_trans(parent_domain, program_type, child_domain)
#
# Define a default domain transition and allow it.
#
define(`domain_auto_trans',`
domain_trans($1,$2,$3)
type_transition $1 $2:process $3;
')

#################################
#
# can_ptrace(domain, domain)
#
# Permissions for running ptrace (strace or gdb) on another domain
#
define(`can_ptrace',`
allow $1 $2:process ptrace;
allow $2 $1:process sigchld;
')

#################################
#
# can_exec(domain, type)
#
# Permissions for executing programs with
# a specified type without changing domains.
#
define(`can_exec',`
allow $1 $2:file { rx_file_perms execute_no_trans };
')

# this is an internal macro used by can_create
define(`can_create_internal', `
ifelse(`$3', `dir', `
allow $1 $2:$3 create_dir_perms;
', `$3', `lnk_file', `
allow $1 $2:$3 create_lnk_perms;
', `
allow $1 $2:$3 create_file_perms;
')dnl end if dir
')dnl end can_create_internal


#################################
#
# can_create(domain, file_type, object_class)
#
# Permissions for creating files of the specified type and class
#
define(`can_create', `
ifelse(regexp($3, `\w'), -1, `', `
can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1'))

can_create($1, $2, regexp($3, `\w+\(.*\)', `\1'))
')
')
#################################
#
# file_type_trans(domain, dir_type, file_type)
#
# Permissions for transitioning to a new file type.
#

define(`file_type_trans',`

#
# Allow the process to modify the directory.
#
allow $1 $2:dir rw_dir_perms;

#
# Allow the process to create the file.
#
ifelse(`$4', `', `
can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }')
', `
can_create($1, $3, $4)
')dnl end if param 4 specified

')

#################################
#
# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class)
#
# the object class will default to notdevfile_class_set if not specified as
# the fourth parameter
#
# Define a default file type transition and allow it.
#
define(`file_type_auto_trans',`
ifelse(`$4', `', `
file_type_trans($1,$2,$3)
type_transition $1 $2:dir $3;
type_transition $1 $2:notdevfile_class_set $3;
', `
file_type_trans($1,$2,$3,$4)
type_transition $1 $2:$4 $3;
')dnl end ifelse

')


#################################
#
# can_unix_connect(client, server)
#
# Permissions for establishing a Unix stream connection.
#
define(`can_unix_connect',`
allow $1 $2:unix_stream_socket connectto;
')

#################################
#
# can_unix_send(sender, receiver)
#
# Permissions for sending Unix datagrams.
#
define(`can_unix_send',`
allow $1 $2:unix_dgram_socket sendto;
')

#################################
#
# can_tcp_connect(client, server)
#
# Permissions for establishing a TCP connection.
# Irrelevant until we have labeled networking.
#
define(`can_tcp_connect',`
#allow $1 $2:tcp_socket { connectto recvfrom };
#allow $2 $1:tcp_socket { acceptfrom recvfrom };
#allow $2 kernel_t:tcp_socket recvfrom;
#allow $1 kernel_t:tcp_socket recvfrom;
')

#################################
#
# can_udp_send(sender, receiver)
#
# Permissions for sending/receiving UDP datagrams.
# Irrelevant until we have labeled networking.
#
define(`can_udp_send',`
#allow $1 $2:udp_socket sendto;
#allow $2 $1:udp_socket recvfrom;
')


##################################
#
# base_pty_perms(domain_prefix)
#
# Base permissions used for can_create_pty() and can_create_other_pty()
#
define(`base_pty_perms', `
# Access the pty master multiplexer.
allow $1_t ptmx_t:chr_file rw_file_perms;

allow $1_t devpts_t:filesystem getattr;

# allow searching /dev/pts
allow $1_t devpts_t:dir { getattr read search };

# ignore old BSD pty devices
dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
')


##################################
#
# pty_slave_label(domain_prefix, attributes)
#
# give access to a slave pty but do not allow creating new ptys
#
define(`pty_slave_label', `
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;

# Allow the pty to be associated with the file system.
allow $1_devpts_t devpts_t:filesystem associate;

# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $1_devpts_t;

# Read and write my pty files.
allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
')


##################################
#
# can_create_pty(domain_prefix, attributes)
#
# Permissions for creating ptys.
#
define(`can_create_pty',`
base_pty_perms($1)
pty_slave_label($1, `$2')
')


##################################
#
# can_create_other_pty(domain_prefix,other_domain)
#
# Permissions for creating ptys for another domain.
#
define(`can_create_other_pty',`
base_pty_perms($1)
# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $2_devpts_t;

# Read and write pty files.
allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
')


#
# general_domain_access(domain)
#
# Grant permissions within the domain.
# This includes permissions to processes, /proc/PID files,
# file descriptors, pipes, Unix sockets, and System V IPC objects
# labeled with the domain.
#
define(`general_domain_access',`
# Access other processes in the same domain.
# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap.
# These must be granted separately if desired.
allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap};

# Access /proc/PID files for processes in the same domain.
allow $1 self:dir r_dir_perms;
allow $1 self:notdevfile_class_set r_file_perms;

# Access file descriptions, pipes, and sockets
# created by processes in the same domain.
allow $1 self:fd *;
allow $1 self:fifo_file rw_file_perms;
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_stream_socket_perms;

# Allow the domain to communicate with other processes in the same domain.
allow $1 self:unix_dgram_socket sendto;
allow $1 self:unix_stream_socket connectto;

# Access System V IPC objects created by processes in the same domain.
allow $1 self:sem  create_sem_perms;
allow $1 self:msg  { send receive };
allow $1 self:msgq create_msgq_perms;
allow $1 self:shm  create_shm_perms;
allow $1 unpriv_userdomain:fd use;
#
# Every app is asking for ypbind so I am adding this here, 
# eventually this should become can_nsswitch
#
can_ypbind($1)
allow $1 autofs_t:dir { search getattr };
')dnl end general_domain_access